How do you integrate this with your existing API? Do you need to proxy requests through Hydra or do you just need to read and trust Hydra-signed tokens on every request? Is there any overlap with https://getkong.org/?
Currently hydra issues opaque tokens but has the capabilities to switch to JWT in the future. There is a warden HTTP API endpoint that you can use to inspect tokens and use hydra's access control. I will probably add a more common token info endpoint or a OAuth2 Token Introspection endpoint ( https://tools.ietf.org/html/rfc7662 ) later on.
I haven't used kong yet but from my first impression it should be possible to use hydra together with kong.
You're doing OIDC but OIDC requires JWT.
Well sorry but if you're not using JWT then this isn't OIDC.
The whole point of OIDC is token verification, you provide an identity and that identity can be verified.
Ok, thanks. So let's say I wanted to use Hydra for authenticating requests made to my REST API, I'd have to make an API call to Hydra on each request, right? Would be interesting to have some integration examples with popular web frameworks (e.g. Express.js, Rails, Django, etc.).
Thanks for releasing this by the way, looks really well engineered. I'm sure you've considered it already, but you could probably sell a hosted version (a la https://auth0.com) to make money and finance development.
Depends, if you use JWT you can cryptographically verify that the token and the token claims are valid. Right now, Hydra does not issue JWTs but it would be easy as pie to add that functionality.
Writing an integration guide for this is a very good idea. Hydra's APIs are validating all requests using that technique, but it's not documented.
Auth0.com is pretty cool, they have done some cool projects that help OAuth developers. However, they are overpriced imho. Hosting hydra is definitely something I will consider. Thanks! :)
You have to query token validation endpoint to have your reference token validated. That's how oauth2 works. With OpenId connect you get JWT which can be validated without a call to the identity provider.
One thing I've not quite got my head around with JWT is not authenticating tokens with the server on each request - am I really just meant to assume a token is trusted until it's expiry time? What if a user signs out all their sessions in the meantime, or an employee is fired and needs access revoking? As far as I can tell I do just have to use short-lived tokens and renew them frequently but that comes with its own set of problems when doing JavaScript based applications and implicit auth.
Technically JWTs cannot be revoked once they're issued (they just expire). You have to make sure that you delete the JWT from your preferred storage when you sign a user out and issue JWTs for a short period.
You other option is to allow blacklisting of JWTs per client. However, this will add additional overhead of making an HTTP request to check if a token is blacklisted. That's how Auth0 does it in their commercial OpenId Connect provider.
That's the trade off. Either you have "real-time" data but need a database roundtrip or you save latency but must accept the downside. However, you can use short token times to mitigate that, something like 10 minutes for example.
I haven't used kong yet but from my first impression it should be possible to use hydra together with kong.